topic Re: Gaia Portal Certificate Imported but not working in Firewall and Security Management

Gaia Portal Certificate Imported but not working

Bernardes — Wed, 18 Jan 2023 16:29:23 GMT

Hello Mates!

I imported a certificate to Gaia Portal following the sk97648 process, but when I accessed the portal, the web browser yet shows me a warning.

Is there something more to do after importing the certificate and installing the policy? Any troubleshooting and workaround to follow?

Obs: The same certificate is be using by sslvpn and the sslvpn link works fine, without the warning.

Thank you!

Re: Gaia Portal Certificate Imported but not working

_Val_ — Wed, 18 Jan 2023 16:42:05 GMT

Any screenshots of that warning?

Re: Gaia Portal Certificate Imported but not working

Bernardes — Wed, 18 Jan 2023 21:01:12 GMT

Hello @_Val_

The warning is the default web browser not secure HTTPS. As if it doesn't have any certificate yet.

Re: Gaia Portal Certificate Imported but not working

Kaspars_Zibarts — Thu, 19 Jan 2023 06:40:55 GMT

Just assuming you have done basic checks regarding trusted root CA? I.e. you checked from it cert chain in browser and then compared root CA to your computer CA trust store or Firefox own cert store (depending your FF config)

Re: Gaia Portal Certificate Imported but not working

Bernardes — Thu, 19 Jan 2023 12:08:24 GMT

Hello @Kaspars_Zibarts

I'm not sure about this information. Like I said, the same certificate is be using in both portal, gaia and sslvpn.

When I access the sslvpn it works fine, but when I access the gaia portal in 8443 port this shows the warning on any web browser.

Look the print bellow.

Re: Gaia Portal Certificate Imported but not working

PhoneBoy — Thu, 19 Jan 2023 17:55:05 GMT

Post screenshots of the "working" and "non-working" portal certificates.
After literally typing "thisisunsafe" on the warning screen (or clicking the various buttons to ignore the warning), click on the lock icon on the browser.

I suspect the certificate is signed by one or more intermediate CAs.
In this case, you will need to include the entire certificate chain as part of the key you import.
More precisely, it means including the public key of all relevant CAs (root and intermediates).

Re: Gaia Portal Certificate Imported but not working

Kaspars_Zibarts — Fri, 20 Jan 2023 07:26:34 GMT

You need to check certification chain in the browser first, i.e. in Chrome:

Then check details for cert chain and see actual issuing root CA:

Then compare it to your computer Root CA store:

Note that FF uses own trusted root CA store instead of windows OS, so you can google how to check that or else use Edge or Chrome

Re: Gaia Portal Certificate Imported but not working

Bernardes — Sun, 22 Jan 2023 20:36:40 GMT

Hello @Kaspars_Zibarts first of all, thank you very much for clarifying!

Look how it shows when I access the Gaia Portal via Chrome:

It shows the internal interface IP in the certificate place.

Why it happens if I import the certificate by SmartConsole the same way that the sslvpn was imported?

bellow the sslvpn portal, works fine.

Re: Gaia Portal Certificate Imported but not working

Kaspars_Zibarts — Mon, 23 Jan 2023 10:00:02 GMT

You need to configure both - platform URL that matches name in the cert (or SAN list) plus import correct cert:

Re: Gaia Portal Certificate Imported but not working

Bernardes — Tue, 24 Jan 2023 13:15:20 GMT

@Kaspars_Zibarts the same certificate was imported for both portals, gaia and sslvpn.

but how we can see when I access Gaia portal the certificate shows the gateway IP interface on the "Certificate Hierarchy" of Chrome. I'm not sure why it happens

Re: Gaia Portal Certificate Imported but not working

PhoneBoy — Wed, 25 Jan 2023 04:32:59 GMT

What's the details of the certificate that shows the IP address?
I suspect it's a different certificate than the one you uploaded.

Re: Gaia Portal Certificate Imported but not working

Kaspars_Zibarts — Thu, 26 Jan 2023 17:52:49 GMT

What does the name in main URL field resolve to? Cluster IP or member IP?

Ideally you want separate names for each cluster member and matching cert. Or all listed in SAN list in the same cert